Sobig worm getting bigger

A new computer virus, Sobig, is spreading on the Internet, according to alerts posted by a number of antivirus software companies.

Sobig is a worm that uses e-mail and shared network folders to infect machines running Microsoft's Windows operating system, according to information posted on the Web site of Helsinki antivirus company F-Secure.

The worm arrives in e-mail messages from a single sender, "big@boss.com" and is stored in attached executable files with names such as "Sample.pif," "Untitled1.pif" and "Movie_0074.mpeg.pif," according to F-Secure.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A new computer virus, Sobig, is spreading on the Internet, according to alerts posted by a number of antivirus software companies.

Sobig is a worm that uses e-mail and shared network folders to infect machines running Microsoft's Windows operating system, according to information posted on the Web site of Helsinki antivirus company F-Secure.

The worm arrives in e-mail messages from a single sender, "big@boss.com" and is stored in attached executable files with names such as "Sample.pif," "Untitled1.pif" and "Movie_0074.mpeg.pif," according to F-Secure.

When opened, the worm places a copy of itself into the Windows folder on the infected machine, creates a process to run the worm program and modifies the Windows registry so that the worm program will be launched whenever Windows is started.

Once it has infected a machine, the worm searches for e-mail addresses in a variety of text files on the computer's hard drive. Those addresses are used to send out more copies of itself. Sobig also searches for any shared folders on networks that the infected machine may have access to and places a copy of itself in any network folder it can access.

Although the new worm does not appear to steal sensitive information from the computers it infects, antivirus companies warned that the worm does connect to a Web site hosted by Yahoo's GeoCities, from which it tries to download and execute other files, according to F-Secure.

The GeoCities Web page used by Sobig was modified recently to instruct the worm to download a trojan program known as Backdoor.Delf that gives the virus writer and others control of infected machines, according to Mikko Hyppönen, manager of antivirus research at F-Secure.

GeoCities has been notified about the page by F-Secure as well as the CERT Coordination Center, according to Hyppönen. Yahoo was not immediately available to comment on the Sobig worm.

The worm first came to the attention of antivirus companies on Thursday and began spreading slowly, Hyppönen said.

In recent days, however, the virus has spread more rapidly and the number of machines infected by Sobig has grown.

As of Tuesday, F-Secure gave the worm a Level 2 ranking, indicating that it is "causing large infections" and putting it in a category with well-known predecessors such as the Klez worm.

Other antivirus companies upgraded their threat ratings for Sobig, as well. On Monday, Symantec's Security Response upgraded Sobig from a category 2 to a "moderate" category 3 threat.

The success of Sobig since it first appeared surprised Hyppönen, who said that Sobig is a comparatively simple worm that lacks many of the sophisticated features that allow a new generation of viruses to spread.

For example, Sobig always arrives in e-mail messages from the same sender, "big@boss.com," unlike recent successful worms such as Bugbear or Lirva, which generated their own sender addresses, swapped in trusted sender addresses from sources such as antivirus vendors, or selected them at random from a long list.

The IDG News Service is a Network World affiliate.